diff options
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth')
4 files changed, 517 insertions, 138 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index a8a7d0c51..5c0e497a3 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -31,7 +31,6 @@ import java.security.PrivateKey; import java.util.ArrayList; import java.util.Arrays; import java.util.Date; -import java.util.Iterator; import java.util.List; import java.util.regex.Matcher; import java.util.regex.Pattern; @@ -66,6 +65,7 @@ import at.gv.egovernment.moa.id.auth.data.IdentityLink; import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.auth.exception.DynamicOABuildException; +import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.exception.ParseException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser; @@ -78,6 +78,7 @@ import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.AuthenticationRoleFactory; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; @@ -102,6 +103,11 @@ import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moa.util.XPathUtils; +import at.gv.util.client.szr.SZRClient; +import at.gv.util.config.EgovUtilPropertiesConfiguration; +import at.gv.util.ex.EgovUtilException; +import at.gv.util.wsdl.szr.SZRException; +import at.gv.util.xsd.szr.PersonInfoType; /** * @author tlenz @@ -170,7 +176,11 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { //get OnlineApplication from MOA-ID-Auth configuration oaParam = AuthConfigurationProvider.getInstance() .getOnlineApplicationParameter(oaID); - + + //build OA dynamically from STROK request if this OA is used as STORK<->PVP gateway + if (oaParam.isSTORKPVPGateway()) + oaParam = DynamicOAAuthParameterBuilder.buildFromAuthnRequest(oaParam, protocolRequest); + } else { //build OnlineApplication dynamic from requested attributes oaParam = DynamicOAAuthParameterBuilder.buildFromAttributeQuery(reqAttributes, interfIDP); @@ -342,23 +352,46 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { Logger.debug("Build AuthData from assertion starts ...."); - authData.setFamilyName(extractor.getAttribute(PVPConstants.PRINCIPAL_NAME_NAME)); - authData.setGivenName(extractor.getAttribute(PVPConstants.GIVEN_NAME_NAME)); - authData.setDateOfBirth(extractor.getAttribute(PVPConstants.BIRTHDATE_NAME)); - authData.setBPKType(extractor.getAttribute(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)); - authData.setCcc(extractor.getAttribute(PVPConstants.EID_ISSUING_NATION_NAME)); - authData.setBkuURL(extractor.getAttribute(PVPConstants.EID_CCS_URL_NAME)); - authData.setIdentificationValue(extractor.getAttribute(PVPConstants.EID_SOURCE_PIN_NAME)); - authData.setIdentificationType(extractor.getAttribute(PVPConstants.EID_SOURCE_PIN_TYPE_NAME)); + authData.setIsBusinessService(oaParam.getBusinessService()); + + authData.setFamilyName(extractor.getSingleAttributeValue(PVPConstants.PRINCIPAL_NAME_NAME)); + authData.setGivenName(extractor.getSingleAttributeValue(PVPConstants.GIVEN_NAME_NAME)); + authData.setDateOfBirth(extractor.getSingleAttributeValue(PVPConstants.BIRTHDATE_NAME)); + authData.setBPKType(extractor.getSingleAttributeValue(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)); + authData.setCcc(extractor.getSingleAttributeValue(PVPConstants.EID_ISSUING_NATION_NAME)); + authData.setBkuURL(extractor.getSingleAttributeValue(PVPConstants.EID_CCS_URL_NAME)); + authData.setIdentificationValue(extractor.getSingleAttributeValue(PVPConstants.EID_SOURCE_PIN_NAME)); + authData.setIdentificationType(extractor.getSingleAttributeValue(PVPConstants.EID_SOURCE_PIN_TYPE_NAME)); if (extractor.containsAttribute(PVPConstants.BPK_NAME)) { - String pvpbPK = extractor.getAttribute(PVPConstants.BPK_NAME); - authData.setBPK(pvpbPK.split(":")[1]); + String pvpbPK = extractor.getSingleAttributeValue(PVPConstants.BPK_NAME); + String[] spitted = pvpbPK.split(":"); + authData.setBPK(spitted[1]); + if (MiscUtil.isEmpty(authData.getBPKType())) { + Logger.debug("PVP assertion contains NO bPK/wbPK target attribute. " + + "Starting target extraction from bPK/wbPK prefix ..."); + //exract bPK/wbPK type from bpk attribute value prefix if type is + //not transmitted as single attribute + Pattern pattern = Pattern.compile("[a-zA-Z]{2}(-[a-zA-Z]+)?"); + Matcher matcher = pattern.matcher(spitted[0]); + if (matcher.matches()) { + //find public service bPK + authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + spitted[0]); + Logger.debug("Found bPK prefix. Set target to " + authData.getBPKType()); + + } else { + //find business service wbPK + authData.setBPKType(Constants.URN_PREFIX_WBPK+ "+" + spitted[0]); + Logger.debug("Found wbPK prefix. Set target to " + authData.getBPKType()); + + } + } } + boolean foundEncryptedbPKForOA = false; if (extractor.containsAttribute(PVPConstants.ENC_BPK_LIST_NAME)) { List<String> encbPKList = Arrays.asList( - extractor.getAttribute(PVPConstants.ENC_BPK_LIST_NAME).split(";")); + extractor.getSingleAttributeValue(PVPConstants.ENC_BPK_LIST_NAME).split(";")); authData.setEncbPKList(encbPKList); for (String fullEncbPK : encbPKList) { int index = fullEncbPK.indexOf("|"); @@ -372,6 +405,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { + oaParam.getPublicURLPrefix() + " Start decryption process ..."); PrivateKey privKey = oaParam.getBPKDecBpkDecryptionKey(); + foundEncryptedbPKForOA = true; if (privKey != null) { try { String bPK = BPKBuilder.decryptBPK(encbPK, oaParam.getTarget(), privKey); @@ -406,20 +440,99 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { } } - if (MiscUtil.isEmpty(authData.getBPK()) && authData.getEncbPKList().size() == 0) { - Logger.error("Federated assertion include no bPK or encrypted bPK"); + if (MiscUtil.isEmpty(authData.getIdentificationValue()) && + MiscUtil.isEmpty(authData.getBPK()) && + !foundEncryptedbPKForOA) { + Logger.info("Federated assertion include no bPK, encrypted bPK or baseID"); throw new AssertionAttributeExtractorExeption("No " + PVPConstants.BPK_FRIENDLY_NAME - + " or " + PVPConstants.ENC_BPK_LIST_FRIENDLY_NAME); + + " or " + PVPConstants.EID_SOURCE_PIN_NAME + + " or " + PVPConstants.ENC_BPK_LIST_NAME); + + } + + //check if received bPK matchs to online application configuration + //and no encrypted bPK is found for this oa + if (!matchsReceivedbPKToOnlineApplication(oaParam, authData) + && !foundEncryptedbPKForOA) { + Logger.info("Received bPK/wbPK does not match to online application"); + + if (MiscUtil.isEmpty(authData.getIdentificationValue())) { + Logger.info("No baseID found. Connect SZR to reveive baseID ..."); + try { + EgovUtilPropertiesConfiguration eGovClientsConfig = AuthConfigurationProvider.getInstance().geteGovUtilsConfig(); + if (eGovClientsConfig != null) { + SZRClient szrclient = new SZRClient(eGovClientsConfig); + + Logger.debug("Create SZR request to get baseID ... "); + PersonInfoType personInfo = new PersonInfoType(); + at.gv.util.xsd.szr.persondata.PhysicalPersonType person = new at.gv.util.xsd.szr.persondata.PhysicalPersonType(); + personInfo.setPerson(person); + at.gv.util.xsd.szr.persondata.PersonNameType name = new at.gv.util.xsd.szr.persondata.PersonNameType(); + person.setName(name); + at.gv.util.xsd.szr.persondata.IdentificationType idValue = new at.gv.util.xsd.szr.persondata.IdentificationType(); + person.setIdentification(idValue); + + //set bPK or wbPK + idValue.setValue(authData.getBPK()); + idValue.setType(authData.getBPKType()); + + //set person information + name.setGivenName(authData.getGivenName()); + name.setFamilyName(authData.getFamilyName()); + if (authData.getDateOfBirth() != null) + person.setDateOfBirth(authData.getFormatedDateOfBirth()); + + //request szr and store baseID + authData.setIdentificationValue(szrclient.getStammzahl(personInfo)); + authData.setIdentificationType(Constants.URN_PREFIX_BASEID); + + } else { + Logger.warn("No SZR clieht configuration found. Interfederation SSO login not possible."); + throw new AssertionAttributeExtractorExeption("No " + PVPConstants.BPK_FRIENDLY_NAME + + " or " + PVPConstants.EID_SOURCE_PIN_NAME); + + } + + } catch (ConfigurationException e) { + Logger.warn("SZR connection FAILED. Interfederation SSO login not possible.", e); + throw new AssertionAttributeExtractorExeption("No " + PVPConstants.BPK_FRIENDLY_NAME + + " or " + PVPConstants.EID_SOURCE_PIN_NAME); + + } catch (EgovUtilException e) { + Logger.warn("SZR connection FAILED. Interfederation SSO login not possible.", e); + throw new AssertionAttributeExtractorExeption("No " + PVPConstants.BPK_FRIENDLY_NAME + + " or " + PVPConstants.EID_SOURCE_PIN_NAME); + + } catch (SZRException e) { + Logger.warn("SZR connection FAILED. Interfederation SSO login not possible.", e); + throw new AssertionAttributeExtractorExeption("No " + PVPConstants.BPK_FRIENDLY_NAME + + " or " + PVPConstants.EID_SOURCE_PIN_NAME); + + } + } + + //build OA specific bPK/wbPK information + buildOAspecificbPK(oaParam, authData, + authData.getIdentificationValue(), + authData.getIdentificationType()); + + } + + if (MiscUtil.isEmpty(authData.getBPK())) { + Logger.debug("Calcutlate bPK from baseID"); + buildOAspecificbPK(oaParam, authData, + authData.getIdentificationValue(), + authData.getIdentificationType()); } if (extractor.containsAttribute(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME)) authData.setQAALevel(PVPConstants.STORK_QAA_PREFIX + - extractor.getAttribute(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME)); + extractor.getSingleAttributeValue(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME)); if (extractor.containsAttribute(PVPConstants.EID_AUTH_BLOCK_NAME)) { try { - byte[] authBlock = Base64Utils.decode(extractor.getAttribute(PVPConstants.EID_AUTH_BLOCK_NAME), false); + byte[] authBlock = Base64Utils.decode(extractor.getSingleAttributeValue(PVPConstants.EID_AUTH_BLOCK_NAME), false); authData.setAuthBlock(new String(authBlock, "UTF-8")); } catch (IOException e) { @@ -431,7 +544,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { if (extractor.containsAttribute(PVPConstants.EID_SIGNER_CERTIFICATE_NAME)) { try { authData.setSignerCertificate(Base64Utils.decode( - extractor.getAttribute(PVPConstants.EID_SIGNER_CERTIFICATE_NAME), false)); + extractor.getSingleAttributeValue(PVPConstants.EID_SIGNER_CERTIFICATE_NAME), false)); } catch (IOException e) { Logger.error("Received SignerCertificate is not valid", e); @@ -441,10 +554,10 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { if (extractor.containsAttribute(PVPConstants.EID_IDENTITY_LINK_NAME)) { try { - InputStream idlStream = Base64Utils.decodeToStream(extractor.getAttribute(PVPConstants.EID_IDENTITY_LINK_NAME), false); + InputStream idlStream = Base64Utils.decodeToStream(extractor.getSingleAttributeValue(PVPConstants.EID_IDENTITY_LINK_NAME), false); IdentityLink idl = new IdentityLinkAssertionParser(idlStream).parseIdentityLink(); - authData.setIdentityLink(idl); - + buildOAspecificIdentityLink(oaParam, authData, idl); + } catch (ParseException e) { Logger.error("Received IdentityLink is not valid", e); @@ -456,12 +569,12 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { // set mandate attributes - authData.setMandateReferenceValue(extractor.getAttribute(PVPConstants.MANDATE_REFERENCE_VALUE_NAME)); + authData.setMandateReferenceValue(extractor.getSingleAttributeValue(PVPConstants.MANDATE_REFERENCE_VALUE_NAME)); if (extractor.containsAttribute(PVPConstants.MANDATE_FULL_MANDATE_NAME)) { try { byte[] mandate = Base64Utils.decode( - (extractor.getAttribute(PVPConstants.MANDATE_FULL_MANDATE_NAME)), false); + (extractor.getSingleAttributeValue(PVPConstants.MANDATE_FULL_MANDATE_NAME)), false); if (authData.getMISMandate() == null) authData.setMISMandate(new MISMandate()); @@ -502,9 +615,9 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { legalperson.getIdentification().add(legalID ); mandator.setCorporateBody(legalperson ); - legalperson.setFullName(extractor.getAttribute(PVPConstants.MANDATE_LEG_PER_FULL_NAME_NAME)); - legalID.setType(extractor.getAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME)); - idvalue.setValue(extractor.getAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME)); + legalperson.setFullName(extractor.getSingleAttributeValue(PVPConstants.MANDATE_LEG_PER_FULL_NAME_NAME)); + legalID.setType(extractor.getSingleAttributeValue(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME)); + idvalue.setValue(extractor.getSingleAttributeValue(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME)); //build natural person short mandate } else if ( (extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME) || @@ -524,18 +637,18 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { Value idValue = new Value(); persID.setValue(idValue ); - String[] pvp2GivenName = extractor.getAttribute(PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_NAME).split(" "); + String[] pvp2GivenName = extractor.getSingleAttributeValue(PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_NAME).split(" "); for(int i=0; i<pvp2GivenName.length; i++) persName.getGivenName().add(pvp2GivenName[i]); - familyName.setValue(extractor.getAttribute(PVPConstants.MANDATE_NAT_PER_FAMILY_NAME_NAME)); - physPerson.setDateOfBirth(extractor.getAttribute(PVPConstants.MANDATE_NAT_PER_BIRTHDATE_NAME)); + familyName.setValue(extractor.getSingleAttributeValue(PVPConstants.MANDATE_NAT_PER_FAMILY_NAME_NAME)); + physPerson.setDateOfBirth(extractor.getSingleAttributeValue(PVPConstants.MANDATE_NAT_PER_BIRTHDATE_NAME)); if (extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME)) { persID.setType(Constants.URN_PREFIX_BASEID); - idValue.setValue(extractor.getAttribute(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME)); + idValue.setValue(extractor.getSingleAttributeValue(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME)); } else { - String[] pvp2bPK = extractor.getAttribute(PVPConstants.MANDATE_NAT_PER_BPK_NAME).split(":"); + String[] pvp2bPK = extractor.getSingleAttributeValue(PVPConstants.MANDATE_NAT_PER_BPK_NAME).split(":"); if (pvp2bPK.length == 2) { idValue.setValue(pvp2bPK[1]); @@ -547,7 +660,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { persID.setType(Constants.URN_PREFIX_WBPK + "+" + pvp2bPK[0]); } else { - Logger.warn("Receive mandator bPK from federation with an unsupported format. " + extractor.getAttribute(PVPConstants.MANDATE_NAT_PER_BPK_NAME)); + Logger.warn("Receive mandator bPK from federation with an unsupported format. " + extractor.getSingleAttributeValue(PVPConstants.MANDATE_NAT_PER_BPK_NAME)); throw new AssertionAttributeExtractorExeption("Receive mandator bPK from federation with an unsupported format."); } @@ -585,14 +698,25 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { if (authData.getMISMandate() == null) authData.setMISMandate(new MISMandate()); authData.getMISMandate().setProfRep( - extractor.getAttribute(PVPConstants.MANDATE_PROF_REP_OID_NAME)); + extractor.getSingleAttributeValue(PVPConstants.MANDATE_PROF_REP_OID_NAME)); } - + + //set PVP role attribute + if (extractor.containsAttribute(PVPConstants.ROLES_NAME)) { + String pvpRoles = extractor.getSingleAttributeValue(PVPConstants.ROLES_NAME); + if (MiscUtil.isNotEmpty(pvpRoles)) { + List<String> roles = Arrays.asList(pvpRoles.split(";")); + for (String role : roles) { + authData.addAuthenticationRole(AuthenticationRoleFactory.buildFormPVPole(role)); + } + } + } + //set STORK attributes if (extractor.containsAttribute(PVPConstants.EID_STORK_TOKEN_NAME)) { - authData.setStorkAuthnResponse(extractor.getAttribute(PVPConstants.EID_STORK_TOKEN_NAME)); + authData.setStorkAuthnResponse(extractor.getSingleAttributeValue(PVPConstants.EID_STORK_TOKEN_NAME)); authData.setForeigner(true); } @@ -604,6 +728,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { } authData.setSsoSession(true); + authData.setInterfederatedSSOSession(true); if (extractor.getFullAssertion().getConditions() != null && extractor.getFullAssertion().getConditions().getNotOnOrAfter() != null) authData.setSsoSessionValidTo(extractor.getFullAssertion().getConditions().getNotOnOrAfter().toDate()); @@ -616,17 +741,45 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { authData.setPublicAuthority(false); } + /** + * @param oaParam + * @param authData + * @return + */ + private static boolean matchsReceivedbPKToOnlineApplication( + IOAAuthParameters oaParam, AuthenticationData authData) { + + String oaTarget = null; + if (oaParam.getBusinessService()) { + if (oaParam.getIdentityLinkDomainIdentifier().startsWith(Constants.URN_PREFIX_WBPK) || + oaParam.getIdentityLinkDomainIdentifier().startsWith(Constants.URN_PREFIX_STORK)) + oaTarget = oaParam.getIdentityLinkDomainIdentifier(); + + else { + Logger.warn("BusinessIdentifier can not be clearly assigned, because it starts without a prefix."); + return false; + + } + + } else { + oaTarget = Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget(); + + } + + + if (oaTarget.equals(authData.getBPKType())) + return true; + else + return false; + } + private static void buildAuthDataFormMOASession(AuthenticationData authData, AuthenticationSession session, IOAAuthParameters oaParam) throws BuildException, ConfigurationException { - - String target = oaParam.getTarget(); IdentityLink identityLink = session.getIdentityLink(); VerifyXMLSignatureResponse verifyXMLSigResp = session.getXMLVerifySignatureResponse(); - boolean businessService = oaParam.getBusinessService(); - authData.setIssuer(session.getAuthURL()); //baseID or wbpk in case of BusinessService without SSO or BusinessService SSO @@ -661,6 +814,8 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { authData.setForeigner(session.isForeigner()); authData.setQAALevel(session.getQAALevel()); + authData.setIsBusinessService(oaParam.getBusinessService()); + if (session.isForeigner()) { try { //TODO: replace with TSL lookup when TSL is ready! @@ -733,67 +888,12 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { Logger.trace("Authenticated User is OW: " + mandate.getOWbPK()); } else { - - if (businessService) { - //since we have foreigner, wbPK is not calculated in BKU - if (identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { - - String registerAndOrdNr = oaParam.getIdentityLinkDomainIdentifier(); - - if (registerAndOrdNr.startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) { - // If domainIdentifier starts with prefix - // "urn:publicid:gv.at:wbpk+"; remove this prefix - registerAndOrdNr = registerAndOrdNr - .substring(AuthenticationSession.REGISTERANDORDNR_PREFIX_.length()); - Logger.debug("Register and ordernumber prefix stripped off; resulting register string: " - + registerAndOrdNr); - } - - String wbpkBase64 = new BPKBuilder().buildWBPK(identityLink.getIdentificationValue(), registerAndOrdNr); - authData.setBPK(wbpkBase64); - authData.setBPKType(Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr); - - } else { - authData.setBPK(identityLink.getIdentificationValue()); - authData.setBPKType(identityLink.getIdentificationType()); - - } - - Logger.trace("Authenticate user with wbPK " + authData.getBPK()); - - Element idlassertion = session.getIdentityLink().getSamlAssertion(); - //set bpk/wpbk; - Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH); - prIdentification.getFirstChild().setNodeValue(authData.getBPK()); - //set bkp/wpbk type - Node prIdentificationType = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_TYPE_XPATH); - prIdentificationType.getFirstChild().setNodeValue(authData.getBPKType()); - - IdentityLinkAssertionParser idlparser = new IdentityLinkAssertionParser(idlassertion); - IdentityLink idl = idlparser.parseIdentityLink(); - - //resign IDL - IdentityLinkReSigner identitylinkresigner = IdentityLinkReSigner.getInstance(); - Element resignedilAssertion; - resignedilAssertion = identitylinkresigner.resignIdentityLink(idl.getSamlAssertion()); - IdentityLinkAssertionParser resignedIDLParser = new IdentityLinkAssertionParser(resignedilAssertion); - IdentityLink resignedIDL = resignedIDLParser.parseIdentityLink(); - - authData.setIdentityLink(resignedIDL); - - } else { - - if (identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { - // only compute bPK if online application is a public service and we have the Stammzahl - String bpkBase64 = new BPKBuilder().buildBPK(identityLink.getIdentificationValue(), target); - authData.setBPK(bpkBase64); - authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget()); - } - - Logger.trace("Authenticate user with bPK " + authData.getBPK()); - - authData.setIdentityLink(identityLink); - } + buildOAspecificbPK(oaParam, authData, + identityLink.getIdentificationValue(), + identityLink.getIdentificationType()); + + buildOAspecificIdentityLink(oaParam, authData, identityLink); + } @@ -803,4 +903,65 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { } } + + private static void buildOAspecificIdentityLink(IOAAuthParameters oaParam, AuthenticationData authData, IdentityLink idl) throws MOAIDException { + if (oaParam.getBusinessService()) { + Element idlassertion = idl.getSamlAssertion(); + //set bpk/wpbk; + Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH); + prIdentification.getFirstChild().setNodeValue(authData.getBPK()); + //set bkp/wpbk type + Node prIdentificationType = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_TYPE_XPATH); + prIdentificationType.getFirstChild().setNodeValue(authData.getBPKType()); + + IdentityLinkAssertionParser idlparser = new IdentityLinkAssertionParser(idlassertion); + IdentityLink businessServiceIdl = idlparser.parseIdentityLink(); + + //resign IDL + IdentityLinkReSigner identitylinkresigner = IdentityLinkReSigner.getInstance(); + Element resignedilAssertion; + resignedilAssertion = identitylinkresigner.resignIdentityLink(businessServiceIdl.getSamlAssertion()); + IdentityLinkAssertionParser resignedIDLParser = new IdentityLinkAssertionParser(resignedilAssertion); + IdentityLink resignedIDL = resignedIDLParser.parseIdentityLink(); + + authData.setIdentityLink(resignedIDL); + + } else + authData.setIdentityLink(idl); + + + } + + private static void buildOAspecificbPK(IOAAuthParameters oaParam, AuthenticationData authData, String baseID, String baseIDType) throws BuildException { + + if (oaParam.getBusinessService()) { + //since we have foreigner, wbPK is not calculated in BKU + if (baseIDType.equals(Constants.URN_PREFIX_BASEID)) { + String registerAndOrdNr = oaParam.getIdentityLinkDomainIdentifier(); + authData.setBPK(new BPKBuilder().buildbPKorwbPK(baseID, registerAndOrdNr)); + authData.setBPKType(registerAndOrdNr); + + } else { + authData.setBPK(baseID); + authData.setBPKType(baseIDType); + + } + + Logger.trace("Authenticate user with wbPK " + authData.getBPK()); + + } else { + + if (baseIDType.equals(Constants.URN_PREFIX_BASEID)) { + // only compute bPK if online application is a public service and we have the Stammzahl + String bpkBase64 = new BPKBuilder().buildBPK(baseID, oaParam.getTarget()); + authData.setBPK(bpkBase64); + authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget()); + } + + Logger.trace("Authenticate user with bPK " + authData.getBPK()); + } + + + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java index b122ba17e..063d7d8e4 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java @@ -46,7 +46,6 @@ package at.gv.egovernment.moa.id.auth.builder; -import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.data.IdentityLink; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.logging.Logger; @@ -54,7 +53,6 @@ import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.MiscUtil; -import java.io.UnsupportedEncodingException; import java.security.InvalidKeyException; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; @@ -103,14 +101,7 @@ public class BPKBuilder { else basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_CDID + "+" + target; - try { - MessageDigest md = MessageDigest.getInstance("SHA-1"); - byte[] hash = md.digest(basisbegriff.getBytes("ISO-8859-1")); - String hashBase64 = Base64Utils.encode(hash); - return hashBase64; - } catch (Exception ex) { - throw new BuildException("builder.00", new Object[]{"bPK", ex.toString()}, ex); - } + return calculatebPKwbPK(basisbegriff); } /** @@ -139,16 +130,24 @@ public class BPKBuilder { else basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr; - try { - MessageDigest md = MessageDigest.getInstance("SHA-1"); - byte[] hash = md.digest(basisbegriff.getBytes("ISO-8859-1")); - String hashBase64 = Base64Utils.encode(hash); - return hashBase64; - } catch (Exception ex) { - throw new BuildException("builder.00", new Object[]{"wbPK", ex.toString()}, ex); - } + return calculatebPKwbPK(basisbegriff); } + public String buildbPKorwbPK(String baseID, String bPKorwbPKTarget) throws BuildException { + if (MiscUtil.isEmpty(baseID) || + !(bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_CDID + "+") || + bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_WBPK + "+") || + bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_STORK + "+")) ) { + throw new BuildException("builder.00", + new Object[]{"bPK/wbPK", "bPK or wbPK target " + bPKorwbPKTarget + + " has an unkown prefix."}); + + } + + return calculatebPKwbPK(baseID + "+" + bPKorwbPKTarget); + + } + public static String encryptBPK(String bpk, String target, PublicKey publicKey) throws BuildException { MiscUtil.assertNotNull(bpk, "BPK"); MiscUtil.assertNotNull(publicKey, "publicKey"); @@ -211,7 +210,8 @@ public class BPKBuilder { */ public String buildStorkeIdentifier(IdentityLink identityLink, String destinationCountry) throws BuildException { - return buildStorkbPK(identityLink, "AT", destinationCountry); + return buildStorkbPK(identityLink.getIdentificationValue(), + identityLink.getIdentificationType(), "AT", destinationCountry); } /** @@ -224,10 +224,7 @@ public class BPKBuilder { */ public String buildStorkeIdentifier(String identificationType, String identificationValue, String destinationCountry) throws BuildException { - IdentityLink tempIdentity = new IdentityLink(); - tempIdentity.setIdentificationType(identificationType); - tempIdentity.setIdentificationValue(identificationValue); - return buildStorkbPK(tempIdentity, "AT", destinationCountry); + return buildStorkbPK(identificationValue, identificationType, "AT", destinationCountry); } /** @@ -239,16 +236,17 @@ public class BPKBuilder { * @return storkid in a BASE64 encoding * @throws BuildException if an error occurs on building the wbPK */ - public String buildStorkbPK(IdentityLink identityLink, String sourceCountry, String destinationCountry) + public String buildStorkbPK(String baseID, String baseIDType, String sourceCountry, String destinationCountry) throws BuildException { String identificationValue = null; // check if we have been called by public sector application - if (identityLink.getIdentificationType().startsWith(Constants.URN_PREFIX_BASEID)) { - identificationValue = calculateStorkeIdentifierBase(identityLink, sourceCountry, destinationCountry); + if (baseIDType.startsWith(Constants.URN_PREFIX_BASEID)) { + identificationValue = calculateStorkeIdentifierBase(baseID, sourceCountry, destinationCountry); + } else { // if not, sector identification value is already calculated by BKU Logger.info("STORK eIdentifier already provided by BKU"); - identificationValue = identityLink.getIdentificationValue(); + identificationValue = baseID; } if ((identificationValue == null || @@ -266,19 +264,25 @@ public class BPKBuilder { return eIdentifier; } - - private String calculateStorkeIdentifierBase(IdentityLink identityLink, String sourceCountry, String destinationCountry) throws BuildException { - String basisbegriff = identityLink.getIdentificationValue() + "+" + Constants.URN_PREFIX_STORK + "+" + sourceCountry + "+" + destinationCountry; - Logger.info("Building STORK identification from: [identValue]+" + Constants.URN_PREFIX_STORK + "+" + sourceCountry + "+" + destinationCountry); - try { + + private String calculateStorkeIdentifierBase(String baseID, String sourceCountry, String destinationCountry) throws BuildException { + String basisbegriff = baseID + "+" + Constants.URN_PREFIX_STORK + "+" + sourceCountry + "+" + destinationCountry; + Logger.info("Building STORK identification from: [identValue]+" + Constants.URN_PREFIX_STORK + "+" + sourceCountry + "+" + destinationCountry); + return calculatebPKwbPK(basisbegriff); + + } + + private String calculatebPKwbPK(String basisbegriff) throws BuildException { + try { MessageDigest md = MessageDigest.getInstance("SHA-1"); byte[] hash = md.digest(basisbegriff.getBytes("ISO-8859-1")); String hashBase64 = Base64Utils.encode(hash); - Logger.debug("STORK identification defined as: " + hashBase64); return hashBase64; + } catch (Exception ex) { - throw new BuildException("builder.00", new Object[]{"storkid", ex.toString()}, ex); + throw new BuildException("builder.00", new Object[]{"bPK/wbPK", ex.toString()}, ex); } + } private static byte[] encrypt(byte[] inputBytes, PublicKey publicKey) throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java index 132b6af01..49f87122d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java @@ -33,7 +33,9 @@ import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.config.auth.data.DynamicOAAuthParameters; +import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egovernment.moa.id.protocols.stork2.MOASTORKRequest; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; @@ -62,7 +64,7 @@ public class DynamicOAAuthParameterBuilder { attrValue.startsWith(Constants.URN_PREFIX_STORK) ) { dynamicOA.setBusinessService(true); dynamicOA.setTarget(attrValue); - + } else { Logger.error("Sector identification " + attrValue + " is not a valid Target or BusinessServiceArea"); throw new DynamicOABuildException("Sector identification " + attrValue + " is not a valid Target or BusinessServiceArea", null); @@ -106,4 +108,37 @@ public class DynamicOAAuthParameterBuilder { } + + /** + * @param oaParam + * @param protocolRequest + * @return + */ + public static IOAAuthParameters buildFromAuthnRequest( + IOAAuthParameters oaParam, IRequest protocolRequest) { + + DynamicOAAuthParameters dynOAParams = new DynamicOAAuthParameters(); + dynOAParams.setApplicationID(oaParam.getPublicURLPrefix()); + dynOAParams.setBusinessService(oaParam.getBusinessService()); + + if (protocolRequest instanceof MOASTORKRequest) + return buildFromSTORKRequest(dynOAParams, (MOASTORKRequest) protocolRequest); + + Logger.warn("Dynamic OA generation failed. RequestType is not implemented."); + return null; + } + + /** + * @param oaParam + * @param protocolRequest + * @return + */ + private static IOAAuthParameters buildFromSTORKRequest( + DynamicOAAuthParameters oaParam, MOASTORKRequest protocolRequest) { + + oaParam.setBusinessTarget(Constants.URN_PREFIX_STORK + "+" + "AT" + "+" + protocolRequest.getSpCountry()); + oaParam.setBusinessService(true); + + return oaParam; + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java index ade7d3f3c..4cd192070 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java @@ -27,7 +27,11 @@ import iaik.x509.X509Certificate; import java.io.IOException;
import java.io.InputStream;
import java.io.StringWriter;
+import java.net.URL;
import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+import java.util.Properties;
import javax.activation.DataSource;
import javax.servlet.ServletException;
@@ -68,24 +72,54 @@ import at.gv.util.xsd.xmldsig.X509DataType; import eu.stork.oasisdss.api.ApiUtils;
import eu.stork.oasisdss.api.LightweightSourceResolver;
import eu.stork.oasisdss.api.exceptions.ApiUtilsException;
+import eu.stork.oasisdss.api.utils.ByteArrayDataSource;
+import eu.stork.oasisdss.profile.DocumentType;
+import eu.stork.oasisdss.profile.DocumentWithSignature;
+import eu.stork.oasisdss.profile.SignRequest;
import eu.stork.oasisdss.profile.SignResponse;
import eu.stork.peps.auth.commons.IPersonalAttributeList;
import eu.stork.peps.auth.commons.PEPSUtil;
import eu.stork.peps.auth.commons.PersonalAttribute;
+import eu.stork.peps.auth.commons.PersonalAttributeList;
+import eu.stork.peps.auth.commons.STORKAttrQueryRequest;
import eu.stork.peps.auth.commons.STORKAuthnRequest;
import eu.stork.peps.auth.commons.STORKAuthnResponse;
import eu.stork.peps.auth.engine.STORKSAMLEngine;
import eu.stork.peps.exceptions.STORKSAMLEngineException;
+import eu.stork.documentservice.DocumentService;
+import eu.stork.documentservice.data.DatabaseConnectorMySQLImpl;
+import javax.xml.namespace.QName;
+import javax.xml.ws.Service;
+import javax.xml.ws.soap.SOAPBinding;
+import javax.xml.ws.BindingProvider;
+
+
/**
* Endpoint for receiving STORK response messages
*/
public class PEPSConnectorServlet extends AuthServlet {
+
private static final long serialVersionUID = 1L;
public static final String PEPSCONNECTOR_SERVLET_URL_PATTERN = "/PEPSConnector";
-
+ private String dtlUrl = null;
+
+
+ public PEPSConnectorServlet()
+ {
+ super();
+ Properties props = new Properties();
+ try {
+ props.load(DatabaseConnectorMySQLImpl.class.getResourceAsStream("docservice.properties"));
+ dtlUrl = props.getProperty("docservice.url");
+ } catch (IOException e) {
+ dtlUrl = "http://testvidp.buergerkarte.at/DocumentService/DocumentService";
+ Logger.error("Loading DTL config failed, using default value:"+dtlUrl);
+ e.printStackTrace();
+ }
+ }
/**
* @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
*/
@@ -245,7 +279,9 @@ public class PEPSConnectorServlet extends AuthServlet { String citizenSignature = null;
try {
String signatureInfo = authnResponse.getPersonalAttributeList().get("signedDoc").getValue().get(0); // TODO ERROR HANDLING
-
+
+ Logger.debug("signatureInfo:"+signatureInfo);
+
SignResponse dssSignResponse = (SignResponse) ApiUtils.unmarshal(new StreamSource(new java.io.StringReader(signatureInfo)));
// fetch signed doc
@@ -258,6 +294,19 @@ public class PEPSConnectorServlet extends AuthServlet { citizenSignature = IOUtils.toString(incoming);
incoming.close();
+ Logger.debug("citizenSignature:"+citizenSignature);
+ if(isDocumentServiceUsed(citizenSignature)==true)
+ {
+ Logger.debug("Loading document from DocumentService.");
+ String url = getDtlUrlFromResponse(dssSignResponse);
+ //get Transferrequest
+ String transferRequest = getDocTransferRequest(dssSignResponse.getDocUI(), url);
+ //Load document from DocujmentService
+ byte[] data = getDocumentFromDtl(transferRequest, url);
+ citizenSignature = new String(data, "UTF-8");
+ Logger.debug("Overridung citizenSignature with:"+citizenSignature);
+ }
+
JAXBContext ctx = JAXBContext.newInstance(SignatureType.class.getPackage().getName());
SignatureType root = ((JAXBElement<SignatureType>) ctx.createUnmarshaller().unmarshal(IOUtils.toInputStream(citizenSignature))).getValue();
@@ -423,5 +472,135 @@ public class PEPSConnectorServlet extends AuthServlet { }
}
+
+ private boolean isDocumentServiceUsed(String citizenSignature) //TODo add better check
+ {
+ if(citizenSignature.contains("<table border=\"0\"><tr><td>Service Name:</td><td>{http://stork.eu}DocumentService</td></tr><tr><td>Port Name:</td><td>{http://stork.eu}DocumentServicePort</td></tr></table>"))
+ return true;
+ return false;
+ }
+
+ /**
+ * Get DTL uril from the oasis sign response
+ * @param signRequest The signature response
+ * @return The URL of DTL service
+ * @throws SimpleException
+ */
+ private String getDtlUrlFromResponse(SignResponse dssSignResponse) {
+ List<DocumentWithSignature> documents = ApiUtils.findNamedElement(dssSignResponse.getOptionalOutputs(),
+ ApiUtils.OPTIONAL_OUTPUT_DOCUMENTWITHSIGNATURE, DocumentWithSignature.class);
+ DocumentType sourceDocument = documents.get(0).getDocument();
+
+ if (sourceDocument.getDocumentURL() != null)
+ return sourceDocument.getDocumentURL();
+ else
+ return null;//throw new Exception("No document url found");
+ }
+
+//From DTLPEPSUTIL
+
+
+
+ /**
+ * Get document from DTL
+ * @param transferRequest The transfer request (attribute query)
+ * @param eDtlUrl The DTL url of external DTL
+ * @return the document data
+ * @throws SimpleException
+ */
+ private byte[] getDocumentFromDtl(String transferRequest, String eDtlUrl) throws Exception
+ {
+ URL url = null;
+ try
+ {
+ url = new URL(dtlUrl);
+ QName qname = new QName("http://stork.eu",
+ "DocumentService");
+
+ Service service = Service.create(url, qname);
+ DocumentService docservice = service.getPort(DocumentService.class);
+
+ BindingProvider bp = (BindingProvider) docservice;
+ SOAPBinding binding = (SOAPBinding) bp.getBinding();
+ binding.setMTOMEnabled(true);
+
+ if (eDtlUrl.equalsIgnoreCase(dtlUrl))
+ return docservice.getDocument(transferRequest, "");
+ else
+ return docservice.getDocument(transferRequest, eDtlUrl);
+ }
+ catch (Exception e)
+ {
+ e.printStackTrace();
+ throw new Exception("Error in getDocumentFromDtl", e);
+ }
+ }
+
+ /**
+ * Get a document transfer request (attribute query)
+ * @param docId
+ * @return
+ * @throws SimpleException
+ */
+ private String getDocTransferRequest(String docId, String destinationUrl) throws Exception
+ {
+ String spCountry = docId.substring(0, docId.indexOf("/"));
+ final STORKSAMLEngine engine = STORKSAMLEngine.getInstance("VIDP");
+ STORKAttrQueryRequest req = new STORKAttrQueryRequest();
+ req.setAssertionConsumerServiceURL(dtlUrl);
+ req.setDestination(destinationUrl);
+ req.setSpCountry(spCountry);
+ req.setQaa(3);//TODO
+ PersonalAttributeList pal = new PersonalAttributeList();
+ PersonalAttribute attr = new PersonalAttribute();
+ attr.setName("docRequest");
+ attr.setIsRequired(true);
+ attr.setValue(Arrays.asList(docId));
+ pal.add(attr);
+ req.setPersonalAttributeList(pal);
+
+ STORKAttrQueryRequest req1;
+ try {
+ req1 = engine.generateSTORKAttrQueryRequest(req);
+ return PEPSUtil.encodeSAMLTokenUrlSafe(req1.getTokenSaml());
+ } catch (STORKSAMLEngineException e) {
+ e.printStackTrace();
+ throw new Exception("Error in doc request attribute query generation", e);
+ }
+ }
+
+ /**
+ * Get mime type of document from DTL
+ * @param docId The document id
+ * @param dtlUrl The url of dtl
+ * @return The mime type
+ */
+// private String getDocumentMimeFromDtl(String docId, String eDtlUrl) throws Exception
+// {
+// URL url = null;
+// try
+// {
+// url = new URL(dtlUrl);
+// QName qname = new QName("http://stork.eu",
+// "DocumentService");
+//
+// Service service = Service.create(url, qname);
+// DocumentService docservice = service.getPort(DocumentService.class);
+//
+// BindingProvider bp = (BindingProvider) docservice;
+// SOAPBinding binding = (SOAPBinding) bp.getBinding();
+// binding.setMTOMEnabled(true);
+//
+// if (eDtlUrl.equalsIgnoreCase(dtlUrl))
+// return docservice.getDocumentMime(docId, "");
+// else
+// return docservice.getDocumentMime(docId, eDtlUrl);
+// }
+// catch (Exception e)
+// {
+// e.printStackTrace();
+// throw new Exception("Error in getDocumentFromDtl", e);
+// }
+// }
}
|